RISK MANAGEMENT & INSURANCE SAN DIEGO STATE UNIVERSITY Report Number 98-26 August 24, 1998 Members, Committee on Audit Stanley T. Wang, Chair Ali C. Razi, Vice Chair Ronald L. Cedillos Jim Considine Harold Goldwhite James H. Gray Eric C. Mitchell Joan Otomo-Corgel Ralph R. Pesqueira University Auditor: Larry Mandel Senior Director: Norman Buettner Audit Manager: Jim Usher Staff BOARD OF TRUSTEES THE CALIFORNIA STATE UNIVERSITY
CONTENTS INTRODUCTION Purpose...1 Scope and Methodology...1 Background...2 Opinion...3 Executive Summary...3 OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES Policy...5 Advisory Council Functions...5 Best Practices...6 Insurer Ratings...7 ii
CONTENTS APPENDICES APPENDIX A: APPENDIX B: APPENDIX C: Personnel Contacted Campus Response Chancellor s Acceptance ABBREVIATIONS AGPIP AIME CSU CSURMA EO IDL IIPP JPA NDI ORIM RFIN RMAC SCIF SDSU UI Auxiliary Group Purchase Insurance Program - CSURMA Athletic Injury Medical Expenses - CSURMA California State University CSU Risk Management Authority (a JPA) Executive Order Industrial Disability Leave Illness and Injury Prevention Program Joint Powers Authority Nonindustrial Disability Insurance Office of Risk Management and Insurance - State Department of General Services Resolution, Committee on Finance (CSU Board of Trustees) Risk Management Advisory Council (at SDSU) State Compensation Insurance Fund - State Department of Industrial Relations San Diego State University Unemployment Insurance iii
INTRODUCTION PURPOSE Our overall audit objectives were to review: reliability, confidentiality, and integrity of information; compliance with relevant federal and state law, Trustee policy, and Chancellor s Office directives; effectiveness, efficiency, and economy of operations; and attainment of established objectives. Within the overall audit objectives, specific goals included reviewing controls designed to ensure that: 4 the most significant risk exposures are addressed; 4 risk management costs are controlled; 4 best/prudent practices are assimilated; 4 process mapping tasks and timelines are fully implemented; 4 train-the-trainer investments are realizing a reasonable return; 4 liabilities are not unintentionally assumed due to contracts with inappropriate indemnification, inadequate insurance provisions, expired/flawed coverages, or such unacceptable campus practices as not notifying insurers of claims/incidents on a timely basis; and 4 recordkeeping and reporting are adequate for program administration. SCOPE AND METHODOLOGY The scope of this audit covered the five steps described in Executive Order 533 and included the processes by which the campus identifies risks, evaluates their seriousness, selects the best risk management strategy/technique, implements the most appropriate technique, and evaluates the results. Fiscal year 1997/98 was the primary period reviewed. We interviewed campus personnel and tested contracts and leases, insurance certificates and policy endorsements, financial ledgers, and claim forms. The premium assessed the campuses for participation in the Risk Pool/CSURMA (CSU Risk Management Authority) is based, in large part, on actuarial assumptions and estimates of reserve requirements. In their audit of the CSU s financial statements, KPMG Peat Marwick reviewed these factors and concur with the CSU s calculations. Consequently, the financial aspects of risk management and insurance were not emphasized in this audit. Page 1
INTRODUCTION We have not performed any auditing procedures beyond the date of this report. Accordingly, our comments are based on our knowledge as of that date and should be read with that understanding. Since the purpose of our comments is to suggest areas for improvement, comments on favorable matters are not discussed. BACKGROUND Prior to fiscal year 1995/96, the CSU Chancellor s Office paid all liability, workers compensation and Industrial Disability Leave (IDL), Non-Industrial Disability Insurance (NDI), Unemployment Insurance (UI) claims, and related expenses. As claims became payable, the CSU funded these liabilities on a cash basis. Beginning in fiscal year 1995/96, the campuses became accountable for these liabilities. Funds that were formerly administered centrally were prorated to the campuses. A risk pool arrangement was simultaneously established as a funding mechanism for campuses to share costs while being encouraged to manage risks. Effective January 1, 1997, after its first year and one-half of operation, the risk pool was superseded by the formation of the CSURMA, a joint powers authority (JPA) governed by a board of directors. Although the CSURMA is an entity comprised exclusively of campus and auxiliary organization members, it is legally separate from the CSU. The CSURMA contracts with Sedgwick James of California, Inc. (hereinafter referred to as Sedgwick) for brokerage, risk management and program administration services. Two other significant service providers under contract include the State Compensation Insurance Fund (SCIF), which administers workers compensation, and the Office of Risk and Insurance Management (ORIM) in the State Department of General Services, which handles tort liability claims. The CSURMA adopted a goal of fully funding each year s liabilities as they are incurred and avoiding budget spikes as large liabilities become payable. Members are assessed an annual premium to cover claims and costs. Premiums are driven, in part, by deductible limits chosen by each campus. The five main CSURMA programs are: 1. Workers Compensation; 2. Liability; 3. NDL/IDL/UI; 4. AGPIP (Auxiliary Group Purchase Insurance Program); and 5. AIME (Athletic Injury Medical Expense). The CSURMA was created under Board of Trustees resolution RFIN 11-96-13, which delegated authority to the chancellor to enter into a joint powers agreement. Pursuant to Section 9.b.iv of the agreement, the CSURMA is authorized to approve any new coverage programs. CSURMA s AGPIP and AIME also fall under this authorization, as well as the newest program intended to provide coverage for construction claims on seven 1997/98 capital outlay projects (none of these projects is located at SDSU). Page 2
INTRODUCTION Executive Order 533, issued by the CSU in August 1988, defines the steps in the risk management process and the traditional means of managing risks as follows: Table 1 EO 533 Excerpts RISK MANAGEMENT STEPS TRADITIONAL MEANS OF MANAGING RISKS 1. Identify the risks. 4 Risk avoidance 2. Evaluate their seriousness. 4 Risk transfer 3. Select the best risk management techniques to manage the risks without unduly curtailing or modifying activities necessary to the CSU mission; 4 Loss prevention and reduction (a.k.a. risk control) 4. Implement appropriate risk management techniques. 4 Risk retention. 5. Monitor and evaluate the results. The risk manager at SDSU is the associate vice president for business enterprises. At the time of our visit, the campus had recently hired a workers compensation manager. During fiscal year 1997/98, the campus carried insurance through the CSURMA. The largest policies were for public entity liabilities, workers compensation and employers liabilities, and intercollegiate athletics. Although two of the three auxiliary organizations at the campus were CSURMA participants, they purchased their insurance elsewhere (as opposed to AGPIP). At the time of our visit, the campus carried a liability deductible of $250,000. There had never been any claims in excess of the deductible, and a higher deductible was being considered. OPINION We visited the San Diego State University campus from March 31 to May 26, 1998, and audited the structure in effect at that time. The campus internal controls were adequate to assure an active risk management function that embraces involvement by a number of key disciplines such as environmental health and safety, personnel services, and purchasing. However, we found neither a formal policy nor specific program evaluations linking risk exposures with mitigation measures. While new initiatives were underway to focus more attention on workers compensation, we feel that additional attention is warranted in the areas mentioned in the executive summary below. EXECUTIVE SUMMARY Page 3
INTRODUCTION The purpose of this section is to provide management with an overview of conditions requiring their attention. Areas of review not mentioned in this section were found to be satisfactory. Numbers in brackets [ ] refer to page numbers in this report. POLICY [5] The campus did not have a formal risk management policy. Implementation of a formal risk management policy would establish a framework for risk identification, mitigation and management evaluation. ADVISORY COUNCIL FUNCTIONS [5] The Risk Management Advisory Council (RMAC) was not functioning as originally designed. An updated RMAC mission/role would clarify expectations in relation to more recent systemwide initiatives. BEST PRACTICES [6] The campus had not fully integrated Sedqwick s improvement opportunities into their workers compensation program. A more formal approach to evaluating these opportunities or deciding on modified alternatives could improve performance in this area. INSURER RATINGS [7] The campus was not checking insurer industry ratings. Comparing proof of insurance coverage against industry standards reduces the risk that the campus would become responsible for assuming claims an unqualified insurer was unable to pay. Page 4
OBSERVATIONS, RECOMMENDATIONS, AND CAMPUS RESPONSES POLICY The campus did not have a formal risk management policy. Executive Order (EO) 533 requires inclusion of five prescribed elements in a campus risk management policy, which are described as: an ongoing process by which appropriate campus administrators (1) identify risks, (2) evaluate their seriousness, (3) select the best risk management techniques to manage the risks without unduly curtailing or modifying activities necessary to the CSU mission, (4) implement appropriate risk management techniques, and (5) monitor and evaluate the results. The associate vice president, business enterprises, stated that the campus was operating under the concept that their Illness and Injury Prevention Program (IIPP) met the requirements of a risk management policy. However, the main IIPP focus is employee health and safety, and EO 533 is specific in stating that... risk management is not limited to health and safety matters. The absence of a formal policy leaves open the possibility for poor risk prioritization, missed risk mitigation opportunities, and inefficient/ineffective risk management. Recommendation 1 We recommend that the campus establish a formal risk management policy. Campus Response We Concur. A Policy has been drafted and will be circulated for proper approvals. An approved policy will be in place no later than November 1, 1999. ADVISORY COUNCIL FUNCTIONS The Risk Management Advisory Council (RMAC) was not functioning as originally designed. For example: The breadth of the RMAC mission statement differed in several campus documents and; Between 1994 and 1996 the frequency of RMAC meetings shifted from the established quarterly or more often to an approximate annual basis. Since February, 1996, there is no record of any RMAC meetings being held. Page 5
OBSERVATIONS, RECOMMENDATIONS AND CAMPUS RESPONSES Section F.3 of the IIPP indicates that the advisory council is charged with advising the vice president on issues relating to environmental health and safety. This charge is not as broad as the mission statement adopted at the July 26, 1993, RMAC meeting. The latter document states, in part, that the council recommends the means by which the university shall be protected against the financial and legal consequences of unavoidable or irreducible risk. The aforementioned documents indicate that the council should meet quarterly. The associate vice president, business enterprises, stated that the role of the campus RMAC has not been reviewed since the formation of the CSU systemwide risk pool and the more recent CSU Risk Management Authority (CSURMA). Recognition of increased systemwide activity may alter the need and focus of the campus RMAC. An outdated RMAC mission/role is misleading. It causes confusion as to what their specific mission/role is and raises questions on the relationship with more recent systemwide initiatives. Recommendation 2 We recommend that the campus re-evaluate the role of the Risk Management Advisory Council. Campus Response We concur. A final decision will be made concurrent with the approval of the formal risk management policy, that is, no later than November 1, 1998. BEST PRACTICES The campus had not fully integrated Sedqwick s improvement opportunities into their workers compensation program. In September1996, Sedgwick concluded their Process Mapping & Best Practices Study for the CSU. This study contained seventeen improvement opportunities/recommendations and process maps for five related employee benefit programs. Sedgwick concluded that, even with the process breakdowns inherent in 1996, CSU achieved only average performance when a higher level was possible. The associate vice president, business enterprises, stated that the campus recognizes that additional attention is warranted in workers compensation. Prior to the commencement of this audit, the campus created a new position to address workers compensation issues and provide management focus and performance improvement. If it does not consider the recommendations further, the campus will lose the benefits of the Sedgwick study. Page 6
OBSERVATIONS, RECOMMENDATIONS AND CAMPUS RESPONSES Recommendation 3 We recommend that the campus review and incorporate Sedgwick s opportunities for improvement in the area of workers compensation administration. Campus Response We concur and have complied. Enclosed is the analysis and report of actions. INSURER RATINGS The campus was not checking insurer industry ratings. The campus collects proof of insurance in service contracts and facility leases. However, none of the subject documents pertaining to the 1996/97 and 1997/98 transactions was checked for insurer acceptability. The January 1993 Sedgwick publication entitled Insurance Requirements in Contracts: A Procedure Manual for CSU Risk Pool Members states that members should require a minimum rating of A:VII by A. M. Best & Co. These ratings are widely used as a standard measurement of insurer acceptability. The assistant director, procurement services, stated that a ratings check was not done in purchasing services because they were unaware of the requirement. A second concern was imposing additional steps that could have a negative impact on the ability to attract qualified bidders. Not performing a ratings check increases the risk that the campus will rely on coverage provided by unqualified insurers. Recommendation 4 We recommend that the campus check insurer ratings and document the results of rating reviews in the contract files. Campus Response We have implemented the recommendation, although we note the insurer ratings are only one factor in deciding whether to approve and execute a contract with a vendor/service provider. Page 7
APPENDIX A: PERSONNEL CONTACTED Name Title Sue Blair Director, Personnel Services Annita Borrega Secretary, Business Services Cathy Garcia Assistant Director, Procurement Services Ellene Gibbs Director, Business Information Management Lynne Grenfell Director, Business Services SDSU Foundation M. C. Hull Director, Environmental Health & Safety Jerry Ledin Associate Director, Personnel Services Janet Luecht Clerical Assistant, Personnel Services Janice Pierce Senior Secretary, Business and Financial Affairs Linda Richter Director, Budget and Planning Richard Schaff Director of Procurement Linda Stewart Assistant Vice President, Business and Financial Affairs Joseph Vasquez Associate Vice President, Business Enterprises Jennifer Venter Project Manager, Personnel Services